2018-11-17, 08:17 PM
The current system is simple:
What I propose is we simplify the system:
How do most bot programs work? They paste in the username and password field(s), instead of typing out on the registration form, the program (bot) uses the registration form to generate input(s) that it can then paste into the forms.
If we force the bots to type all fields (Mainly login form) they can register, but not login because they are Pasting values instead of typing.
Another recommendation is to change how we "reset" passwords. Instead of sending new passwords, it should send an "Access Code" that expires in 15 minutes. Sort of like how Google makes you input a security code when logging into a new device. It keeps the password until an Access Code overrides it.
Click Reset Password -> Directed to Reset Page -> Type a verified e-mail address -> Send -> Code Sent to only a verified e-mail (Then they get redirected to a page that expires in 20 minutes ( 5 minutes to allow the system to process the request + 15 until the code expires))-> User Types their Username and Pass Code -> If code is valid -> Sent to page to type a new password -> If typed wrong 3 times, Session Expires and code is voided.
The main idea is to disable the ability to PASTE in any Registration Forms, Login fields or in the reset process, this will knock out a lot of botting issues until they can mimic "typing" instead of pasting values.
- Type/Paste Username
- Type/Paste Password
- Login
- Type/Paste Username
- Type/Paste Password
- Login/Reset Password/Forgot Username
- Temp password sent to email
- Temp password sent to email
What I propose is we simplify the system:
- Type Username
- Type Password
- Login
How do most bot programs work? They paste in the username and password field(s), instead of typing out on the registration form, the program (bot) uses the registration form to generate input(s) that it can then paste into the forms.
If we force the bots to type all fields (Mainly login form) they can register, but not login because they are Pasting values instead of typing.
Another recommendation is to change how we "reset" passwords. Instead of sending new passwords, it should send an "Access Code" that expires in 15 minutes. Sort of like how Google makes you input a security code when logging into a new device. It keeps the password until an Access Code overrides it.
Click Reset Password -> Directed to Reset Page -> Type a verified e-mail address -> Send -> Code Sent to only a verified e-mail (Then they get redirected to a page that expires in 20 minutes ( 5 minutes to allow the system to process the request + 15 until the code expires))-> User Types their Username and Pass Code -> If code is valid -> Sent to page to type a new password -> If typed wrong 3 times, Session Expires and code is voided.
The main idea is to disable the ability to PASTE in any Registration Forms, Login fields or in the reset process, this will knock out a lot of botting issues until they can mimic "typing" instead of pasting values.